On Mon, Nov 13, 2023 at 11:08 AM Aoife Moloney <amolo...@redhat.com> wrote:
> Wiki -> > https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > == Summary == > Change the system linker (ld.bfd) so that by default it will generate > an error message and fail if it is asked to create an executable > binary that contains one or more known security issues. These issues > are: > * an executable stack > * a loadable segment with read, write and execute permissions, > * a thread local storage segment with execute permission. > > == Owner == > * Name: [[User:nickc| Nick Clifton]] > * Email: ni...@redhat.com > > > == Detailed Description == > The BFD linker (ld.bfd) is able to detect several potential security > problems with the binaries that it is creating. Currently however the > linker's default behaviour is to generate warning messages about these > problems, but then it carries on and completes the link. > > Since only warning messages are generated, and these can be ignored or > lost in the output from a build, it is possible that packages are > being built without their owners being aware of the potential security > problems. Hence this change will alter the linker's default behaviour > to turn the warnings into errors, which in turn will prevent the > builds from completing successfully. > > The change would apply to three linker warnings: > > * The creation of a program containing a stack that is in a memory > region that has execute permission. > * The creation of a program with a loadable segment that has all three > of the read, write and execute permission bits set. > * The creation of a thread local storage segment that has the execute > permission bit set. > > == Feedback == > > == Benefit to Fedora == > The benefit of this change is that it will increase the overall > security of Fedora by helping to ensure that packages cannot be built > with one or more of these vulnerabilities without the owner being made > aware and having to take specific actions - either to remove the > vulnerability or disable the linker error message. > > == Scope == > * Proposal owners: > Enable the 'error_for_executable_stacks' and 'error_for_rwx_segments' > optional features in the binutils.spec file and then rebuild the > binutils. > > Following that a system wide rebuild will be needed in order for the > change to have a chance to take affect and cause vulnerable packages > to fail to build. Any packages that fail to build because of the > change will need to be updated to either remove the cause of the > problem or else add an extra command line option to be passed to the > linker to disable the new feature. > > * Other developers: > Other developers will only be affected if their package(s) fail to > build with the new linker. In this case the developer will need to > decide if the security vulnerability is actually needed by their > package, and if so add a linker command line option to turn off the > error, or if the vulnerability is not needed then fix their code so > that the problem is removed. > > It is known that this change will affect the edk2, glibc and grub2 > packages. Their owners will be contacted to assist them in deciding > how they wish to resolve the problems specific to their packages. > > Other developers can use the "--no-warn-execstack" and > "--no-warn-rwx-segments" linker command line options to disable the > errors. > Is there a way to test for problems due to this before the spec file changes are made? E.g. is there a set of linker flags that can be given during mock/scratch builds to enable this check in individual packages to see if they are affected? -Ian > > > * Release engineering: [https://pagure.io/releng/issue/11777] > > * Policies and guidelines: N/A (not needed for this Change) <!-- > REQUIRED FOR SYSTEM WIDE CHANGES --> > The packaging guidelines should not need to be updated. The vast > majority of programs will not be affected by this change. Packages > that are affected will already be requiring special behaviour from the > linker, so it can be assumed that their maintainers are familiar with > how to report linker problems and how to receive help. > > > * Trademark approval: N/A (not needed for this Change) > > * Alignment with Community Initiatives: N/A > > > == Upgrade/compatibility impact == > Upgrading previous versions of Fedora to one containing this change > will have no immediate effect. In fact the only visible change would > be if the upgraded system is used to compile a program and that > program contains one or more of the potential security vulnerabilities > that will now trigger errors. Even then the previous functionality > (of being able to successfully compile the vulnerable program) can be > restored by adding a specific linker command line option. > > > == How To Test == > > Compile programs. > > No special hardware or data is needed in order to test this change. > Just a Fedora system with the updated binutils package installed plus > whatever other packages are needed to compile any test programs. If > the programs compile and link successfully then there are no issues. > If they do not, and the reason that they do not compile is because of > error messages from the linker, then something needs to be done. > > Note - the linker's own testsuite includes tests to make sure that the > error messages are generated under the correct circumstances as well > tests to make sure that the errors can be disabled by the correct > command line options. > > == User Experience == > On the whole, users should not notice this change. > > Users who build programs on Fedora, and whose programs are built in > such a way that they are exposed to the security issues that will > trigger the new errors will be affected. Such users might be happy > that the problem is being brought to light, or annoyed that they will > now have to consider whether they need to fix their program or fix > their build system. > > == Dependencies == > None. > > == Contingency Plan == > * Contingency mechanism: Revert the change to the linker. > * Contingency deadline: Fedora 40 beta freeze. > * Blocks release? No > > == Documentation == > There is a blog about the warning messages that are being turned into > errors: > > > https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments > > > == Release Notes == > (For the Developers/Binutils section of the release Notes) > > The linker's warning messages about the creation of binaries with > executable stacks or memory segments with the execute, read and write > permissions have now been turned into errors. This will prevent the > creation of programs with either of these vulnerabilities. The errors > can be turned off via the use of the --no-warn-execstack and > --no-warn-rwx-segments linker command line options. > > > -- > Aoife Moloney > > Fedora Operations Architect > > Fedora Project > > Matrix: @amoloney:fedora.im > > IRC: amoloney > _______________________________________________ > devel-announce mailing list -- devel-annou...@lists.fedoraproject.org > To unsubscribe send an email to > devel-announce-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel-annou...@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
